From bc85f1704e29bf6f3b73f4955443ccb303fb978d Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Wed, 7 Feb 2024 11:50:12 -0700 Subject: [PATCH 01/10] wip: authservice burning boats --- src/authservice/chart/Chart.yaml | 23 +++ src/authservice/chart/templates/_helpers.tpl | 58 +++++++ src/authservice/chart/templates/authn.yaml | 27 +++ src/authservice/chart/templates/authz.yaml | 45 +++++ .../chart/templates/deployment.yaml | 99 +++++++++++ src/authservice/chart/templates/secret.yaml | 154 +++++++++++++++++ .../chart/templates/uds-package.yaml | 32 ++++ src/authservice/chart/values.yaml | 162 ++++++++++++++++++ src/authservice/common/zarf.yaml | 14 ++ src/authservice/tasks.yaml | 18 +- src/authservice/values/registry1-values.yaml | 3 + src/authservice/values/upstream-values.yaml | 3 + src/authservice/zarf.yaml | 33 +++- 13 files changed, 661 insertions(+), 10 deletions(-) create mode 100644 src/authservice/chart/Chart.yaml create mode 100644 src/authservice/chart/templates/_helpers.tpl create mode 100644 src/authservice/chart/templates/authn.yaml create mode 100644 src/authservice/chart/templates/authz.yaml create mode 100644 src/authservice/chart/templates/deployment.yaml create mode 100644 src/authservice/chart/templates/secret.yaml create mode 100644 src/authservice/chart/templates/uds-package.yaml create mode 100644 src/authservice/chart/values.yaml create mode 100644 src/authservice/common/zarf.yaml create mode 100644 src/authservice/values/registry1-values.yaml create mode 100644 src/authservice/values/upstream-values.yaml diff --git a/src/authservice/chart/Chart.yaml b/src/authservice/chart/Chart.yaml new file mode 100644 index 000000000..b66be7037 --- /dev/null +++ b/src/authservice/chart/Chart.yaml @@ -0,0 +1,23 @@ +apiVersion: v2 +name: authservice +description: A Helm chart for Istio Authservice + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.5.3 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +appVersion: 0.5.3 diff --git a/src/authservice/chart/templates/_helpers.tpl b/src/authservice/chart/templates/_helpers.tpl new file mode 100644 index 000000000..c081b1d37 --- /dev/null +++ b/src/authservice/chart/templates/_helpers.tpl @@ -0,0 +1,58 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "authservice.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "authservice.fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "authservice.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "authservice.labels" -}} +helm.sh/chart: {{ include "authservice.chart" . }} +{{ include "authservice.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "authservice.selectorLabels" -}} +app.kubernetes.io/name: {{ include "authservice.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "authservice.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "authservice.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/src/authservice/chart/templates/authn.yaml b/src/authservice/chart/templates/authn.yaml new file mode 100644 index 000000000..5b45f8557 --- /dev/null +++ b/src/authservice/chart/templates/authn.yaml @@ -0,0 +1,27 @@ +# Authservice is non-functional without Istio/RequestAuthentication but we wrap this in a conditional to handle standalone testing +{{- if .Capabilities.APIVersions.Has "security.istio.io/v1beta1" }} +{{- $jwks_uri := default $.Values.global.jwks_uri $.Values.jwks_uri }} +apiVersion: security.istio.io/v1beta1 +kind: RequestAuthentication +metadata: + name: jwt-authn + namespace: istio-system +spec: + selector: + matchLabels: + {{ .Values.selector.key }}: {{ .Values.selector.value | quote }} + jwtRules: + {{- if .Values.issuer_uri }} + - issuer: {{ .Values.issuer_uri }} + {{- else }} + - issuer: https://{{ .Values.global.oidc.host }}/auth/realms/{{ .Values.global.oidc.realm }} + {{- end }} + {{- if .Values.global.jwks }} + jwks: {{ .Values.global.jwks | quote }} + {{- else if $jwks_uri }} + jwksUri: {{ $jwks_uri }} + {{- else }} + jwksUri: https://{{ .Values.global.oidc.host }}/auth/realms/{{ .Values.global.oidc.realm }}/protocol/openid-connect/certs + {{- end }} + forwardOriginalToken: true +{{- end }} diff --git a/src/authservice/chart/templates/authz.yaml b/src/authservice/chart/templates/authz.yaml new file mode 100644 index 000000000..7d3a814e4 --- /dev/null +++ b/src/authservice/chart/templates/authz.yaml @@ -0,0 +1,45 @@ +# Authservice is non-functional without Istio/AuthorizationPolicy but we wrap this in a conditional to handle standalone testing +{{- if .Capabilities.APIVersions.Has "security.istio.io/v1beta1" }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: authservice + namespace: istio-system +spec: + selector: + matchLabels: + {{ .Values.selector.key }}: {{ .Values.selector.value | quote }} + action: CUSTOM + provider: + name: authservice + rules: + {{- if .Values.allow_unmatched_requests }} + - {} + {{- else if .Values.custom_authpolicy_rules }} +{{ .Values.custom_authpolicy_rules | toYaml | indent 2 }} + {{- else }} + - to: + - operation: + hosts: + - "*.{{ .Values.domain }}" + {{- end }} +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: jwt-authz + namespace: istio-system +spec: + selector: + matchLabels: + {{ .Values.selector.key }}: {{ .Values.selector.value | quote }} + rules: + - from: + - source: + requestPrincipals: + {{- if .Values.issuer_uri }} + - "{{ .Values.issuer_uri }}/*" + {{- else }} + - "https://{{ .Values.global.oidc.host }}/auth/realms/{{ .Values.global.oidc.realm }}/*" + {{- end }} +{{- end }} diff --git a/src/authservice/chart/templates/deployment.yaml b/src/authservice/chart/templates/deployment.yaml new file mode 100644 index 000000000..2729985d8 --- /dev/null +++ b/src/authservice/chart/templates/deployment.yaml @@ -0,0 +1,99 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "authservice.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "authservice.labels" . | nindent 4 }} +spec: +{{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} +{{- end }} + selector: + matchLabels: + {{- include "authservice.selectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "authservice.selectorLabels" . | nindent 8 }} + spec: + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if .Values.global.certificate_authority }} + env: + - name: SSL_CERT_FILE + value: /mnt/ca-bundle/ca-bundle.crt + {{- end}} + ports: + - name: http + containerPort: 10003 + protocol: TCP + livenessProbe: + tcpSocket: + port: 10003 + readinessProbe: + tcpSocket: + port: 10003 + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumeMounts: + - name: {{ include "authservice.name" . }} + mountPath: /etc/authservice + {{- if .Values.global.certificate_authority }} + - name: ca-bundle + mountPath: /mnt/ca-bundle + {{- end }} + {{- if .Values.global.certificate_authority }} + initContainers: + - name: update-ca-bundle + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + command: + - sh + - -c + - | + cat /etc/pki/tls/certs/* > /mnt/ca-bundle/ca-bundle.crt + volumeMounts: + - name: sso-tls-ca + mountPath: /etc/pki/tls/certs/oidc-ca.crt + subPath: oidc-ca.crt + readOnly: true + - name: ca-bundle + mountPath: /mnt/ca-bundle + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - name: {{ include "authservice.name" . }} + secret: + secretName: {{ include "authservice.fullname" . }} + {{- if .Values.global.certificate_authority }} + - name: sso-tls-ca + secret: + secretName: {{ include "authservice.fullname" . }}-sso-tls-ca + - name: ca-bundle + emptyDir: + sizeLimit: 5Mi + {{- end}} diff --git a/src/authservice/chart/templates/secret.yaml b/src/authservice/chart/templates/secret.yaml new file mode 100644 index 000000000..87955a139 --- /dev/null +++ b/src/authservice/chart/templates/secret.yaml @@ -0,0 +1,154 @@ +{{- $jwks_uri := default $.Values.global.jwks_uri $.Values.jwks_uri }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "authservice.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "authservice.labels" . | nindent 4 }} +stringData: + config.json: | + { + "allow_unmatched_requests": {{ .Values.allow_unmatched_requests }}, + "listen_address": "0.0.0.0", + "listen_port": "10003", + {{- if .Values.trigger_rules }} + "trigger_rules": {{ toJson .Values.trigger_rules }}, + {{- end }} + "log_level": "{{ .Values.config.logLevel }}", + "default_oidc_config": { + "skip_verify_peer_cert": {{ $.Values.global.skip_verify_peer_cert }}, + {{- if and $.Values.global.authorization_uri $.Values.global.token_uri }} + "authorization_uri": "{{ $.Values.global.authorization_uri }}", + "token_uri": "{{ $.Values.global.token_uri }}", + {{- else }} + "authorization_uri": "https://{{ $.Values.global.oidc.host }}/auth/realms/{{ $.Values.global.oidc.realm }}/protocol/openid-connect/auth", + "token_uri": "https://{{ $.Values.global.oidc.host }}/auth/realms/{{ $.Values.global.oidc.realm }}/protocol/openid-connect/token", + {{- end }} + {{- if $.Values.global.jwks }} + "jwks": {{ $.Values.global.jwks | quote }}, + {{- else }} + "jwks_fetcher": { + {{- if $jwks_uri }} + "jwks_uri": "{{ $jwks_uri }}", + {{- else }} + "jwks_uri": "https://{{ $.Values.global.oidc.host }}/auth/realms/{{ $.Values.global.oidc.realm }}/protocol/openid-connect/certs", + {{- end }} + "periodic_fetch_interval_sec": {{ $.Values.global.periodic_fetch_interval_sec }}, + "skip_verify_peer_cert": "{{ $.Values.global.skip_verify_peer_cert }}" + }, + {{- end }} + "client_id": "{{ $.Values.global.client_id }}", + "client_secret": "{{ $.Values.global.client_secret }}", + "id_token": { + "preamble": "Bearer", + "header": "Authorization" + }, + "access_token": { + "header": "JWT" + }, + {{- if contains "\\n" $.Values.global.certificate_authority }} + "trusted_certificate_authority": "{{ $.Values.global.certificate_authority }}", + {{- else }} + "trusted_certificate_authority": {{ $.Values.global.certificate_authority | quote }}, + {{- end }} + "logout": { + "path": "{{ $.Values.global.logout_path }}"{{ if $.Values.global.logout_redirect_uri }}, + "redirect_uri": "{{ $.Values.global.logout_redirect_uri }}" + {{- else if $.Values.global.oidc }}, + "redirect_uri": "https://{{ $.Values.global.oidc.host }}/auth/realms/{{ $.Values.global.oidc.realm}}/protocol/openid-connect/token/logout" + {{- end }} + }, + "absolute_session_timeout": "{{ $.Values.global.absolute_session_timeout }}", + "idle_session_timeout": "{{ $.Values.global.idle_session_timeout }}", + "scopes": [] + }, + "threads": 8, + "chains": [ + {{- range $k, $v := $.Values.chains }}{{ if ne $k ( first (keys $.Values.chains | sortAlpha) ) }},{{ end }} + { + "name": "{{ $k }}", + "match": { + {{- if .match }} + "header": "{{ .match.header | default $.Values.global.match.header }}", + {{- if .match.prefix }} + "prefix": "{{ tpl .match.prefix $ }}" + {{- else if .match.equality }} + "equality": "{{ .match.equality }}" + {{- else }} + "prefix": "{{ $.Values.global.match.prefix }}" + {{- end }} + {{- else }} + "header": "{{ $.Values.global.match.header }}", + "prefix": "{{ $.Values.global.match.prefix }}" + {{- end }} + }, + "filters": [ + { + "oidc_override": { + {{- if and .authorization_uri .token_uri }} + "authorization_uri": "{{ .authorization_uri }}", + "token_uri": "{{ .token_uri }}", + {{- else if .oidc }} + "authorization_uri": "https://{{ .oidc.host | default $.Values.global.oidc.host }}/auth/realms/{{.oidc.realm | default $.Values.global.oidc.realm }}/protocol/openid-connect/auth", + "token_uri": "https://{{ .oidc.host | default $.Values.global.oidc.host }}/auth/realms/{{ .oidc.realm | default $.Values.global.oidc.realm }}/protocol/openid-connect/token", + {{- end}} + {{- if or .redis_server_uri $.Values.global.redis_server_uri }} + "redis_session_store_config": { + "server_uri": {{ .redis_server_uri | default $.Values.global.redis_server_uri | quote }} + }, + {{- end }} + {{- if .callback_uri }} + "callback_uri": "{{ tpl .callback_uri $ | default $.Values.callback_uri }}", + {{- else }} + {{- fail "ERROR: Missing required field 'callback_uri' in one of the config chains" }} + {{ end }} + {{- if .jwks }} + "jwks": {{ .jwks | quote }}, + {{- else if .jwks_uri }} + "jwks_fetcher": { + "jwks_uri": {{ .jwks_uri | quote }}, + "periodic_fetch_interval_sec": {{ .periodic_fetch_interval_sec | default 60}}, + "skip_verify_peer_cert": {{ .skip_verify_peer_cert | default $.Values.global.skip_verify_peer_cert }} + }, + {{- end }} + {{- if .client_id }} + "client_id": "{{ .client_id }}", + {{- end }} + {{- if .client_secret }} + "client_secret": "{{ .client_secret }}", + {{- end }} + "cookie_name_prefix": "{{ default $k .cookie_name_prefix }}", + {{- if .certificate_authority }} + {{- if contains "\\n" .certificate_authority }} + "trusted_certificate_authority": "{{ .certificate_authority }}", + {{- else }} + "trusted_certificate_authority": {{ .certificate_authority | quote }}, + {{- end }} + {{- end }} + "logout": { + {{- if .logout_path }} + "path": "{{ .logout_path | default $.Values.global.logout_path }}", + {{- end }} + {{- if .logout_redirect_uri }} + "redirect_uri": "{{ .logout_redirect_uri | default $.Values.global.logout_redirect_uri }}" + {{- else if .oidc }} + "redirect_uri": "https://{{ .oidc.host | default $.Values.global.oidc.host }}/auth/realms/{{ .oidc.realm | default $.Values.global.oidc.realm}}/protocol/openid-connect/token/logout" + {{- else }} + "redirect_uri": "https://{{ $.Values.global.oidc.host }}/auth/realms/{{ $.Values.global.oidc.realm }}/protocol/openid-connect/token/logout" + {{- end}} + }, + {{- if .absolute_session_timeout }} + "absolute_session_timeout": "{{ .absolute_session_timeout }}", + {{- end }} + {{- if .idle_session_timeout }} + "idle_session_timeout": "{{ .idle_session_timeout }}", + {{- end }} + "scopes": {{ default list .scopes | toJson }} + } + } + ] + } + {{- end }} + ] + } diff --git a/src/authservice/chart/templates/uds-package.yaml b/src/authservice/chart/templates/uds-package.yaml new file mode 100644 index 000000000..fd386b729 --- /dev/null +++ b/src/authservice/chart/templates/uds-package.yaml @@ -0,0 +1,32 @@ +apiVersion: uds.dev/v1alpha1 +kind: Package +metadata: + name: authservice + namespace: {{ .Release.Namespace }} +spec: + network: + allow: + # Permit intra-namespace communication for multi-replica setup + - direction: Ingress + remoteGenerated: IntraNamespace + + - direction: Egress + remoteGenerated: IntraNamespace + + - direction: Egress + podLabels: + app.kubernetes.io/name: authservice + remoteNamespace: keycloak + remotePodLabels: + app.kubernetes.io/name: keycloak + port: 8080 + description: "Keycloak" + + - direction: Ingress + podLabels: + app.kubernetes.io/name: authservice + remoteNamespace: "" # Any namespace could have a protected app + remotePodLabels: + {{ .Values.selector.key }}: {{ .Values.selector.value }} + port: 10003 + description: "Protected Apps" diff --git a/src/authservice/chart/values.yaml b/src/authservice/chart/values.yaml new file mode 100644 index 000000000..fd3a61668 --- /dev/null +++ b/src/authservice/chart/values.yaml @@ -0,0 +1,162 @@ +# -- Default values for authservice. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# -- When setting this above 1, a redis configuration is required. +replicaCount: 1 + +image: + repository: ghcr.io/istio-ecosystem/authservice/authservice + pullPolicy: IfNotPresent + # -- Overrides the image tag whose default is the chart appVersion. + tag: "" + +# -- Issuer and jwks URIs if not using Keycloak +issuer_uri: "" +jwks_uri: "" + +# -- If true will allow the requests even no filter chain match is found +allow_unmatched_requests: false + +# -- Extra Ruleset for AuthorizationPolicy CUSTOM action to forward to Authservice. +# To enable `allow_unmatched_requests` must be `false`. These custom rules mean that only these requests +# will be routed and will break default BigBang setup for `prometheus/alertmanager/tempo` unless added. +# Path specific Operations are not supported, it is recommended to use only hosts, notHosts, & method operations. +# See reference: https://istio.io/latest/docs/reference/config/security/authorization-policy/ +custom_authpolicy_rules: + - when: + - key: request.headers[authorization] + notValues: + - "*" + +global: + # -- Global Authorization URI value to set if not using Keycloak + # authorization_uri: "" + # Global Token URI Value to set if not using Keycloak + # token_uri: "" + # Default client_id to be used in each chain + client_id: "global_id" + # -- default client_secret to be used in each chain + client_secret: "global_secret" + match: + # -- Header to match. The value ":authority" is used to match the requested hostname + header: ":authority" + # -- value matches the start of the header value defined above + prefix: "bigbang" + # -- Logout URL for the client + logout_path: "/globallogout" + # -- Logout Redirect URI for the client + logout_redirect_uri: "" + absolute_session_timeout: 0 + idle_session_timeout: 0 + # -- CA signing the OIDC provider. Passed through as a Helm multi-line string. See README for example. + certificate_authority: "" + # certificate_authority: | + # -----BEGIN CERTIFICATE----- + # MIIE4jCCAsqgAwIBAgIBATANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZzZm8t + # Y2EwHhcNMTkxMjIwMDAxNjI1WhcNMjEwNjIwMDAxNjIxWjARMQ8wDQYDVQQDEwZz + # -----END CERTIFICATE----- + + # -- URI for Redis instance used for OIDC token storage/retrieval. This may also be specified per-chain. + # redis_server_uri: tcp://{{ .Release.Name }}-{{ .Release.Namespace }}-auth-redis-master:6379/ + oidc: + # -- OpenID Connect hostname. Assumption of Keycloak based on URL construction + host: login.dso.mil + # -- Realm for OpenID Connect + realm: baby-yoda + # -- escaped json for the JWKS + jwks: "" + # jwks: "{\"keys\":[{\"kid\":\"4CK69bW66HE2wph9VuBs0fTc1MaETSTpU1iflEkBHR4\",\"kty\":\"RSA\",\"alg\":\"RS256\",\"use\":\"sig\",\"n\":\"hiML1kjw-sw25BgaZI1AyfgcCRBPJKPE-wwttqa7NNxptr_5RCBGuJXqDyo3p1vjcbb8KjdKnXI7kWer8b2Pz_RP1m_QcPrKOxSluk7GZF8ARsc6FPGbzYgi8o8cBVSsaml6HZzpN3ZnH4DFZ27ifM-Ul_PyMxZ2aweohIaizXp-rgF7Rqpav5NXUwmcSyH8LP92NVIuFlD3HYTDGosVbfA_u_H25Z4XCGKW_vLDTNrl8PcA3HqIoD-vNavysdxAq_KNw7iLLc0KLsjFYSdJL_54H7QubsGR0AyIrLLurJbqAtvttGJK38k5XYWKIwYGtu6iiJwjSb7UtonVdPh8Vw\",\"e\":\"AQAB\",\"x5c\":[\"MIICoTCCAYkCBgFyLIEqUjANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwHhcNMjAwNTE5MTAzNDIyWhcNMzAwNTE5MTAzNjAyWjAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCGIwvWSPD6zDbkGBpkjUDJ+BwJEE8ko8T7DC22prs03Gm2v/lEIEa4leoPKjenW+NxtvwqN0qdcjuRZ6vxvY/P9E/Wb9Bw+so7FKW6TsZkXwBGxzoU8ZvNiCLyjxwFVKxqaXodnOk3dmcfgMVnbuJ8z5SX8/IzFnZrB6iEhqLNen6uAXtGqlq/k1dTCZxLIfws/3Y1Ui4WUPcdhMMaixVt8D+78fblnhcIYpb+8sNM2uXw9wDceoigP681q/Kx3ECr8o3DuIstzQouyMVhJ0kv/ngftC5uwZHQDIissu6sluoC2+20YkrfyTldhYojBga27qKInCNJvtS2idV0+HxXAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIVkoDYkM6ryBcuchdAL5OmyKbmmY4WDrMlatfa3uniK5jvFXrmVaJ3rcu0apdY/NhBeLSOLFVlC5w1QroGUhWm0EjAA4zyuU63Pk0sro0vyHrxztBrGPQrGXI3kjXEssaehZZvYP4b9VtYpus6oGP6bTmaDw94Zu+WrDsWdFs+27VEYwBuU0D6E+ENDGlfR+9ADEW53t6H2M3H0VsOtbArEutYgb4gmQcOIBygC7L1tGJ4IqbnhTYLh9DMKNklU+tq8TMHacps9FxELpeAib3O0J0E5zYXdraQobCCe+ao1Y7sA/wqcGQBCVuoFgty7Y37nNL7LMvygcafgqVDqw5U=\"],\"x5t\":\"mxFIwx7EdgxyC3Y6ODLx8yr8Bx8\",\"x5t#S256\":\"SdT7ScKVOnBW6qs_MuYdTGVtMGwYK_-nmQF9a_8lXco\"}]}" + + # -- Request URI that has the JWKs. If neither jwks or jwks_uri are specified the jwks_uri is computed based on the provided OIDC realm and and host" + jwks_uri: "" + + # -- Request interval to check whether new JWKs are available. + periodic_fetch_interval_sec: 60 + + # -- If set to true, the verification of the destination certificate will be skipped when making a request to the JWKs URI and the token endpoint. This option is useful when you want to use a self-signed certificate for testing purposes, but basically should not be set to true in any other cases. + skip_verify_peer_cert: false + +# -- Individual chains. Must have a `name` value and a `callback_uri` +# NOTE: if using "match" can only specify `prefix` OR `equality`, not both +chains: + # minimal: + # callback_uri: https://minimal.bigbang.dev + # full: + # match: + # header: ":authority" + # prefix: "localhost" + # equality: "localhost.localdomain" + # authorization_uri: "https://example.com/auth" + # token_uri: "https://example.com/token" + # client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_hello-world-authservice + # client_secret: secret_value + # callback_uri: https://localhost/login + # cookie_name_prefix: differentThanFull # Override the cookie name prefix in case you need it to be something else (ex. two apps share the same cookie) + # redis_server_uri: tcp://localhost:6379/ + # logout: + # path: "/logout" + # absolute_session_timeout: timeout_value + # idle_session_timeout: timeout_value + # oidc: + # host: local_oidc_host + # realm: local_oidc_realm + # jwks_uri: "https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/openid-connect/certs" + # periodic_fetch_interval_sec: 60 + # certificate_authority: | + # -----BEGIN CERTIFICATE----- + # MIIE4jCCAsqgAwIBAgIBATANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZzZm8t + # Y2EwHhcNMTkxMjIwMDAxNjI1WhcNMjEwNjIwMDAxNjIxWjARMQ8wDQYDVQQDEwZz + # -----END CERTIFICATE----- + # scopes: + # - additionalScope1 + # - additionalScope2 + # must have at least one entry, so we include this default filter + local: + match: + header: ":local" + prefix: "localhost" + client_id: local_id + client_secret: local_secret + callback_uri: https://localhost/login + logout_path: "/local" + +nameOverride: "authservice" + +podAnnotations: {} + +podSecurityContext: {} + +securityContext: {} + +resources: {} + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 3 + targetCPUUtilizationPercentage: 80 + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +# -- Log level for the deployment +config: + logLevel: trace + +# -- Label to determine what workloads (pods/deployments) should be protected by authservice. +selector: + key: protect + value: keycloak + +# -- Values to bypass OIDC chains in favor or using istio authorizationpolicies.security.istio.io +# and requestauthentications.security.istio.io for certain endpoints. +trigger_rules: [] +# - excluded_paths: +# - exact: /api/healthcheck +# included_paths: +# - prefix: / +# See reference: https://github.com/istio-ecosystem/authservice/blob/master/docs/README.md diff --git a/src/authservice/common/zarf.yaml b/src/authservice/common/zarf.yaml new file mode 100644 index 000000000..18ad2d6ae --- /dev/null +++ b/src/authservice/common/zarf.yaml @@ -0,0 +1,14 @@ +kind: ZarfPackageConfig +metadata: + name: uds-core-authservice-common + description: "UDS Core Authservice Common" + url: https://github.com/istio-ecosystem/authservice + +components: + - name: authservice + required: true + charts: + - name: authservice + localPath: ../chart + version: 0.5.3 + namespace: authservice diff --git a/src/authservice/tasks.yaml b/src/authservice/tasks.yaml index e3b314c9b..7fa53d5d2 100644 --- a/src/authservice/tasks.yaml +++ b/src/authservice/tasks.yaml @@ -1,7 +1,17 @@ tasks: - name: validate actions: - - description: Validate... - cmd: "echo Replace Me" - # wait: - # cluster: + - description: Validate UDS Package Authservice is reconciled + wait: + cluster: + kind: Package + name: authservice + namespace: authservice + condition: "'{.status.phase}'=Ready" + - description: Validate authservice is up + wait: + cluster: + kind: Pod + name: "app.kubernetes.io/name=authservice" + namespace: authservice + condition: Ready diff --git a/src/authservice/values/registry1-values.yaml b/src/authservice/values/registry1-values.yaml new file mode 100644 index 000000000..97fb34ca0 --- /dev/null +++ b/src/authservice/values/registry1-values.yaml @@ -0,0 +1,3 @@ +image: + repository: registry1.dso.mil/ironbank/istio-ecosystem/authservice + tag: "0.5.3" diff --git a/src/authservice/values/upstream-values.yaml b/src/authservice/values/upstream-values.yaml new file mode 100644 index 000000000..1c01b5b26 --- /dev/null +++ b/src/authservice/values/upstream-values.yaml @@ -0,0 +1,3 @@ +image: + repository: ghcr.io/istio-ecosystem/authservice/authservice + tag: "0.5.3" diff --git a/src/authservice/zarf.yaml b/src/authservice/zarf.yaml index d75809a33..c87b7e7c6 100644 --- a/src/authservice/zarf.yaml +++ b/src/authservice/zarf.yaml @@ -1,11 +1,32 @@ kind: ZarfPackageConfig metadata: name: uds-core-authservice - description: "Example description" + description: "UDS Core Authservice" + url: https://github.com/istio-ecosystem/authservice components: - - name: test - actions: - onCreate: - after: - - cmd: echo "What can Doug do for you?" + - name: authservice + required: true + only: + flavor: upstream + import: + path: common + charts: + - name: authservice + valuesFiles: + - values/upstream-values.yaml + images: + - ghcr.io/istio-ecosystem/authservice/authservice:0.5.3 + + - name: authservice + required: true + only: + flavor: registry1 + import: + path: common + charts: + - name: authservice + valuesFiles: + - values/registry1-values.yaml + images: + - registry1.dso.mil/ironbank/istio-ecosystem/authservice:0.5.3 From 4f719a903c68b6001bfd6b0110695fe7003da379 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Wed, 7 Feb 2024 16:37:11 -0700 Subject: [PATCH 02/10] wip: doug --- src/authservice/chart/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/authservice/chart/values.yaml b/src/authservice/chart/values.yaml index fd3a61668..1e0033960 100644 --- a/src/authservice/chart/values.yaml +++ b/src/authservice/chart/values.yaml @@ -61,9 +61,9 @@ global: # redis_server_uri: tcp://{{ .Release.Name }}-{{ .Release.Namespace }}-auth-redis-master:6379/ oidc: # -- OpenID Connect hostname. Assumption of Keycloak based on URL construction - host: login.dso.mil + host: login.uds.dev # -- Realm for OpenID Connect - realm: baby-yoda + realm: doug # -- escaped json for the JWKS jwks: "" # jwks: "{\"keys\":[{\"kid\":\"4CK69bW66HE2wph9VuBs0fTc1MaETSTpU1iflEkBHR4\",\"kty\":\"RSA\",\"alg\":\"RS256\",\"use\":\"sig\",\"n\":\"hiML1kjw-sw25BgaZI1AyfgcCRBPJKPE-wwttqa7NNxptr_5RCBGuJXqDyo3p1vjcbb8KjdKnXI7kWer8b2Pz_RP1m_QcPrKOxSluk7GZF8ARsc6FPGbzYgi8o8cBVSsaml6HZzpN3ZnH4DFZ27ifM-Ul_PyMxZ2aweohIaizXp-rgF7Rqpav5NXUwmcSyH8LP92NVIuFlD3HYTDGosVbfA_u_H25Z4XCGKW_vLDTNrl8PcA3HqIoD-vNavysdxAq_KNw7iLLc0KLsjFYSdJL_54H7QubsGR0AyIrLLurJbqAtvttGJK38k5XYWKIwYGtu6iiJwjSb7UtonVdPh8Vw\",\"e\":\"AQAB\",\"x5c\":[\"MIICoTCCAYkCBgFyLIEqUjANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwHhcNMjAwNTE5MTAzNDIyWhcNMzAwNTE5MTAzNjAyWjAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCGIwvWSPD6zDbkGBpkjUDJ+BwJEE8ko8T7DC22prs03Gm2v/lEIEa4leoPKjenW+NxtvwqN0qdcjuRZ6vxvY/P9E/Wb9Bw+so7FKW6TsZkXwBGxzoU8ZvNiCLyjxwFVKxqaXodnOk3dmcfgMVnbuJ8z5SX8/IzFnZrB6iEhqLNen6uAXtGqlq/k1dTCZxLIfws/3Y1Ui4WUPcdhMMaixVt8D+78fblnhcIYpb+8sNM2uXw9wDceoigP681q/Kx3ECr8o3DuIstzQouyMVhJ0kv/ngftC5uwZHQDIissu6sluoC2+20YkrfyTldhYojBga27qKInCNJvtS2idV0+HxXAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIVkoDYkM6ryBcuchdAL5OmyKbmmY4WDrMlatfa3uniK5jvFXrmVaJ3rcu0apdY/NhBeLSOLFVlC5w1QroGUhWm0EjAA4zyuU63Pk0sro0vyHrxztBrGPQrGXI3kjXEssaehZZvYP4b9VtYpus6oGP6bTmaDw94Zu+WrDsWdFs+27VEYwBuU0D6E+ENDGlfR+9ADEW53t6H2M3H0VsOtbArEutYgb4gmQcOIBygC7L1tGJ4IqbnhTYLh9DMKNklU+tq8TMHacps9FxELpeAib3O0J0E5zYXdraQobCCe+ao1Y7sA/wqcGQBCVuoFgty7Y37nNL7LMvygcafgqVDqw5U=\"],\"x5t\":\"mxFIwx7EdgxyC3Y6ODLx8yr8Bx8\",\"x5t#S256\":\"SdT7ScKVOnBW6qs_MuYdTGVtMGwYK_-nmQF9a_8lXco\"}]}" From b4e683b741a0108d726cfb86389ffc4ad9ed9067 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Wed, 7 Feb 2024 16:42:22 -0700 Subject: [PATCH 03/10] fix: all my terrible mistakes --- src/authservice/chart/templates/hpa.yaml | 33 +++++++++++++++++++ .../chart/templates/secret-ca.yaml | 11 +++++++ src/authservice/chart/templates/service.yaml | 16 +++++++++ src/authservice/chart/values.yaml | 6 ++-- 4 files changed, 63 insertions(+), 3 deletions(-) create mode 100644 src/authservice/chart/templates/hpa.yaml create mode 100644 src/authservice/chart/templates/secret-ca.yaml create mode 100644 src/authservice/chart/templates/service.yaml diff --git a/src/authservice/chart/templates/hpa.yaml b/src/authservice/chart/templates/hpa.yaml new file mode 100644 index 000000000..e5a4cb8ea --- /dev/null +++ b/src/authservice/chart/templates/hpa.yaml @@ -0,0 +1,33 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "authservice.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "authservice.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "authservice.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/src/authservice/chart/templates/secret-ca.yaml b/src/authservice/chart/templates/secret-ca.yaml new file mode 100644 index 000000000..c62a57470 --- /dev/null +++ b/src/authservice/chart/templates/secret-ca.yaml @@ -0,0 +1,11 @@ +{{- if .Values.global.certificate_authority }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "authservice.fullname" . }}-sso-tls-ca + namespace: {{ .Release.Namespace }} + labels: + {{- include "authservice.labels" . | nindent 4 }} +stringData: + oidc-ca.crt: {{ .Values.global.certificate_authority | quote }} +{{- end }} \ No newline at end of file diff --git a/src/authservice/chart/templates/service.yaml b/src/authservice/chart/templates/service.yaml new file mode 100644 index 000000000..978a7b9ef --- /dev/null +++ b/src/authservice/chart/templates/service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "authservice.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "authservice.labels" . | nindent 4 }} +spec: + type: ClusterIP + ports: + - port: 10003 + targetPort: 10003 + protocol: TCP + name: grpc + selector: + {{- include "authservice.selectorLabels" . | nindent 4 }} diff --git a/src/authservice/chart/values.yaml b/src/authservice/chart/values.yaml index 1e0033960..856a8b1bd 100644 --- a/src/authservice/chart/values.yaml +++ b/src/authservice/chart/values.yaml @@ -81,7 +81,7 @@ global: # NOTE: if using "match" can only specify `prefix` OR `equality`, not both chains: # minimal: - # callback_uri: https://minimal.bigbang.dev + # callback_uri: https://minimal.uds.dev # full: # match: # header: ":authority" @@ -89,7 +89,7 @@ chains: # equality: "localhost.localdomain" # authorization_uri: "https://example.com/auth" # token_uri: "https://example.com/token" - # client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_hello-world-authservice + # client_id: uds_a8604cc9-f5e9-4656-802d-d05624370245_hello-world-authservice # client_secret: secret_value # callback_uri: https://localhost/login # cookie_name_prefix: differentThanFull # Override the cookie name prefix in case you need it to be something else (ex. two apps share the same cookie) @@ -101,7 +101,7 @@ chains: # oidc: # host: local_oidc_host # realm: local_oidc_realm - # jwks_uri: "https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/openid-connect/certs" + # jwks_uri: "https://keycloak.uds.dev/auth/realms/doug/protocol/openid-connect/certs" # periodic_fetch_interval_sec: 60 # certificate_authority: | # -----BEGIN CERTIFICATE----- From 0cb9acae890303eacd319edb11802ed19eb6f26e Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Wed, 7 Feb 2024 20:14:29 -0700 Subject: [PATCH 04/10] fix: netpol, config conditional --- src/authservice/chart/templates/uds-package.yaml | 10 +++------- src/pepr/config.ts | 2 +- 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/src/authservice/chart/templates/uds-package.yaml b/src/authservice/chart/templates/uds-package.yaml index fd386b729..3884987bb 100644 --- a/src/authservice/chart/templates/uds-package.yaml +++ b/src/authservice/chart/templates/uds-package.yaml @@ -13,14 +13,10 @@ spec: - direction: Egress remoteGenerated: IntraNamespace + # Egress must be allowed to the external facing Keycloak endpoint - direction: Egress - podLabels: - app.kubernetes.io/name: authservice - remoteNamespace: keycloak - remotePodLabels: - app.kubernetes.io/name: keycloak - port: 8080 - description: "Keycloak" + remoteGenerated: Anywhere + description: "SSO Provider" - direction: Ingress podLabels: diff --git a/src/pepr/config.ts b/src/pepr/config.ts index 2fd53e7e4..d1f330cc1 100644 --- a/src/pepr/config.ts +++ b/src/pepr/config.ts @@ -1,4 +1,4 @@ -const isZarfEnv = process.env.UDS_DOMAIN !== "###ZARF_VAR_DOMAIN###"; +const isZarfEnv = process.env.UDS_DOMAIN === "###ZARF_VAR_DOMAIN###"; export const UDSConfig = { // Ignore the UDS_DOMAIN if not deployed by Zarf From 993165a2f3463ca50cf222ffcb4b8dc60de98ef0 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Wed, 7 Feb 2024 20:39:18 -0700 Subject: [PATCH 05/10] fix: add to package --- packages/standard/zarf.yaml | 9 +++++++++ src/authservice/chart/values.yaml | 4 ++-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/packages/standard/zarf.yaml b/packages/standard/zarf.yaml index 5a3ca8d3e..578292174 100644 --- a/packages/standard/zarf.yaml +++ b/packages/standard/zarf.yaml @@ -8,6 +8,7 @@ metadata: # x-release-please-end components: + # CRDs - name: prometheus-operator-crds required: true import: @@ -65,12 +66,20 @@ components: import: path: ../../src/prometheus-stack + # Promtail - name: promtail required: true import: path: ../../src/promtail + # Grafana - name: grafana required: true import: path: ../../src/grafana + + # Authservice + - name: authservice + required: true + import: + path: ../../src/authservice diff --git a/src/authservice/chart/values.yaml b/src/authservice/chart/values.yaml index 856a8b1bd..0a04adf83 100644 --- a/src/authservice/chart/values.yaml +++ b/src/authservice/chart/values.yaml @@ -20,7 +20,7 @@ allow_unmatched_requests: false # -- Extra Ruleset for AuthorizationPolicy CUSTOM action to forward to Authservice. # To enable `allow_unmatched_requests` must be `false`. These custom rules mean that only these requests -# will be routed and will break default BigBang setup for `prometheus/alertmanager/tempo` unless added. +# will be routed and will break default UDS Core setup for `prometheus/alertmanager/tempo` unless added. # Path specific Operations are not supported, it is recommended to use only hosts, notHosts, & method operations. # See reference: https://istio.io/latest/docs/reference/config/security/authorization-policy/ custom_authpolicy_rules: @@ -42,7 +42,7 @@ global: # -- Header to match. The value ":authority" is used to match the requested hostname header: ":authority" # -- value matches the start of the header value defined above - prefix: "bigbang" + prefix: "uds" # -- Logout URL for the client logout_path: "/globallogout" # -- Logout Redirect URI for the client From 70054945600b966d5593129f7aeb9fb84aa60132 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Thu, 8 Feb 2024 14:23:33 -0700 Subject: [PATCH 06/10] fix: approach for isZarfEnv --- src/pepr/config.ts | 3 ++- tasks/deploy.yaml | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/src/pepr/config.ts b/src/pepr/config.ts index d1f330cc1..51866d074 100644 --- a/src/pepr/config.ts +++ b/src/pepr/config.ts @@ -1,4 +1,5 @@ -const isZarfEnv = process.env.UDS_DOMAIN === "###ZARF_VAR_DOMAIN###"; +const isZarfEnv = + process.env.UDS_DOMAIN !== "###ZARF_VAR_DOMAIN###" && process.env.UDS_DOMAIN !== undefined; export const UDSConfig = { // Ignore the UDS_DOMAIN if not deployed by Zarf diff --git a/tasks/deploy.yaml b/tasks/deploy.yaml index 465e754b2..10ae69f94 100644 --- a/tasks/deploy.yaml +++ b/tasks/deploy.yaml @@ -24,7 +24,7 @@ tasks: cmd: | set -e PEPR_VERSION=$(npm pkg get version | tr -d '"') - uds zarf package deploy build/zarf-package-pepr-uds-core-${UDS_ARCH}-${PEPR_VERSION}.tar.zst --confirm + uds zarf package deploy build/zarf-package-pepr-uds-core-${UDS_ARCH}-${PEPR_VERSION}.tar.zst --confirm --set DOMAIN="uds.dev" - description: "Deploy the requested Zarf Package (must set UDS_PKG environment variable)" cmd: uds zarf package deploy build/zarf-package-uds-core-${UDS_PKG}-${UDS_ARCH}.tar.zst --confirm From 342735163f36fe9b94a56329cfc190a25d27b260 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 9 Feb 2024 08:58:30 -0700 Subject: [PATCH 07/10] chore: more cleaning --- src/authservice/chart/values.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/authservice/chart/values.yaml b/src/authservice/chart/values.yaml index c6eef1658..e481a46a8 100644 --- a/src/authservice/chart/values.yaml +++ b/src/authservice/chart/values.yaml @@ -52,11 +52,11 @@ global: host: login.uds.dev # -- Realm for OpenID Connect realm: doug - # -- JWKS, formatted as escaped JSON string - jwks: "" - # -- Request URI that has the JWKs. If neither jwks or jwks_uri are specified the jwks_uri is computed based on the provided OIDC realm and and host" + # -- Request URI that has the JWKs. If neither jwks or jwks_uri are specified the jwks_uri is computed based on the provided OIDC realm and and host jwks_uri: "" + # -- JWKS, takes precedence over jwks_uri if specified. Must be formatted as an escaped JSON string. + jwks: "" # -- Request interval to check whether new JWKs are available. periodic_fetch_interval_sec: 60 From 669911a33a3d5d546be25c72d75a9ab830687052 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 9 Feb 2024 09:03:14 -0700 Subject: [PATCH 08/10] chore: assume keycloak --- src/authservice/chart/templates/authn.yaml | 7 ------- src/authservice/chart/templates/authz.yaml | 4 ---- src/authservice/chart/templates/secret.yaml | 5 ++--- src/authservice/chart/values.yaml | 4 ---- 4 files changed, 2 insertions(+), 18 deletions(-) diff --git a/src/authservice/chart/templates/authn.yaml b/src/authservice/chart/templates/authn.yaml index 5b45f8557..1c16c105c 100644 --- a/src/authservice/chart/templates/authn.yaml +++ b/src/authservice/chart/templates/authn.yaml @@ -1,6 +1,5 @@ # Authservice is non-functional without Istio/RequestAuthentication but we wrap this in a conditional to handle standalone testing {{- if .Capabilities.APIVersions.Has "security.istio.io/v1beta1" }} -{{- $jwks_uri := default $.Values.global.jwks_uri $.Values.jwks_uri }} apiVersion: security.istio.io/v1beta1 kind: RequestAuthentication metadata: @@ -11,15 +10,9 @@ spec: matchLabels: {{ .Values.selector.key }}: {{ .Values.selector.value | quote }} jwtRules: - {{- if .Values.issuer_uri }} - - issuer: {{ .Values.issuer_uri }} - {{- else }} - issuer: https://{{ .Values.global.oidc.host }}/auth/realms/{{ .Values.global.oidc.realm }} - {{- end }} {{- if .Values.global.jwks }} jwks: {{ .Values.global.jwks | quote }} - {{- else if $jwks_uri }} - jwksUri: {{ $jwks_uri }} {{- else }} jwksUri: https://{{ .Values.global.oidc.host }}/auth/realms/{{ .Values.global.oidc.realm }}/protocol/openid-connect/certs {{- end }} diff --git a/src/authservice/chart/templates/authz.yaml b/src/authservice/chart/templates/authz.yaml index 7d3a814e4..c428885f2 100644 --- a/src/authservice/chart/templates/authz.yaml +++ b/src/authservice/chart/templates/authz.yaml @@ -37,9 +37,5 @@ spec: - from: - source: requestPrincipals: - {{- if .Values.issuer_uri }} - - "{{ .Values.issuer_uri }}/*" - {{- else }} - "https://{{ .Values.global.oidc.host }}/auth/realms/{{ .Values.global.oidc.realm }}/*" - {{- end }} {{- end }} diff --git a/src/authservice/chart/templates/secret.yaml b/src/authservice/chart/templates/secret.yaml index 4f5f3705b..7afb4080b 100644 --- a/src/authservice/chart/templates/secret.yaml +++ b/src/authservice/chart/templates/secret.yaml @@ -1,4 +1,3 @@ -{{- $jwks_uri := default $.Values.global.jwks_uri $.Values.jwks_uri }} apiVersion: v1 kind: Secret metadata: @@ -24,8 +23,8 @@ stringData: "jwks": {{ $.Values.global.jwks | quote }}, {{- else }} "jwks_fetcher": { - {{- if $jwks_uri }} - "jwks_uri": "{{ $jwks_uri }}", + {{- if $.Values.global.jwks_uri }} + "jwks_uri": "{{ $.Values.global.jwks_uri }}", {{- else }} "jwks_uri": "https://{{ $.Values.global.oidc.host }}/auth/realms/{{ $.Values.global.oidc.realm }}/protocol/openid-connect/certs", {{- end }} diff --git a/src/authservice/chart/values.yaml b/src/authservice/chart/values.yaml index e481a46a8..d775dfdbe 100644 --- a/src/authservice/chart/values.yaml +++ b/src/authservice/chart/values.yaml @@ -7,10 +7,6 @@ image: # -- Overrides the image tag whose default is the chart appVersion. tag: "" -# -- Issuer and jwks URIs if not using Keycloak -issuer_uri: "" -jwks_uri: "" - # -- If true will allow the requests even no filter chain match is found allow_unmatched_requests: false From b24ea803036916051e7fd182b879b1a406f3c6d0 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 9 Feb 2024 09:25:14 -0700 Subject: [PATCH 09/10] fix: helm is so much fun --- src/authservice/chart/templates/secret.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/authservice/chart/templates/secret.yaml b/src/authservice/chart/templates/secret.yaml index 7afb4080b..f4c24588a 100644 --- a/src/authservice/chart/templates/secret.yaml +++ b/src/authservice/chart/templates/secret.yaml @@ -80,8 +80,8 @@ stringData: "filters": [ { "oidc_override": { - "authorization_uri": "https://{{ .oidc.host | default $.Values.global.oidc.host }}/auth/realms/{{.oidc.realm | default $.Values.global.oidc.realm }}/protocol/openid-connect/auth", - "token_uri": "https://{{ .oidc.host | default $.Values.global.oidc.host }}/auth/realms/{{ .oidc.realm | default $.Values.global.oidc.realm }}/protocol/openid-connect/token", + "authorization_uri": "https://{{ (dig "oidc" "host" $.Values.global.oidc.host .) }}/auth/realms/{{ (dig "oidc" "realm" $.Values.global.oidc.realm .) }}/protocol/openid-connect/auth", + "token_uri": "https://{{ (dig "oidc" "host" $.Values.global.oidc.host .) }}/auth/realms/{{ (dig "oidc" "realm" $.Values.global.oidc.realm .) }}/protocol/openid-connect/token", {{- if or .redis_server_uri $.Values.global.redis_server_uri }} "redis_session_store_config": { "server_uri": {{ .redis_server_uri | default $.Values.global.redis_server_uri | quote }} From b4130e964ba591ec00eb7a1645027811ada805c1 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 9 Feb 2024 10:45:06 -0700 Subject: [PATCH 10/10] chore: more cleaning --- src/authservice/chart/templates/secret.yaml | 4 ---- src/authservice/chart/values.yaml | 5 ++--- 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/src/authservice/chart/templates/secret.yaml b/src/authservice/chart/templates/secret.yaml index f4c24588a..8df1a07bb 100644 --- a/src/authservice/chart/templates/secret.yaml +++ b/src/authservice/chart/templates/secret.yaml @@ -23,11 +23,7 @@ stringData: "jwks": {{ $.Values.global.jwks | quote }}, {{- else }} "jwks_fetcher": { - {{- if $.Values.global.jwks_uri }} - "jwks_uri": "{{ $.Values.global.jwks_uri }}", - {{- else }} "jwks_uri": "https://{{ $.Values.global.oidc.host }}/auth/realms/{{ $.Values.global.oidc.realm }}/protocol/openid-connect/certs", - {{- end }} "periodic_fetch_interval_sec": {{ $.Values.global.periodic_fetch_interval_sec }}, "skip_verify_peer_cert": "{{ $.Values.global.skip_verify_peer_cert }}" }, diff --git a/src/authservice/chart/values.yaml b/src/authservice/chart/values.yaml index d775dfdbe..c1cd139c3 100644 --- a/src/authservice/chart/values.yaml +++ b/src/authservice/chart/values.yaml @@ -49,9 +49,7 @@ global: # -- Realm for OpenID Connect realm: doug - # -- Request URI that has the JWKs. If neither jwks or jwks_uri are specified the jwks_uri is computed based on the provided OIDC realm and and host - jwks_uri: "" - # -- JWKS, takes precedence over jwks_uri if specified. Must be formatted as an escaped JSON string. + # -- JWKS, a default jwks_uri is computed if not specified. Must be formatted as an escaped JSON string. jwks: "" # -- Request interval to check whether new JWKs are available. @@ -85,6 +83,7 @@ chains: # path: "/logout" # absolute_session_timeout: timeout_value # idle_session_timeout: timeout_value + # jwks_uri: https://myapp.uds.dev/jwks # Override if this client is on a different realm # oidc: # host: local_oidc_host # realm: local_oidc_realm